During Deadly Floods, Central Texas Hit with Online Scams: BforeAI
The devastating floods in Central Texas that killed at least 135 people and caused widespread damage in early July dominated the headlines, garnering the attention of the media, government agencies and relief organizations.
Scammers also took notice, setting up fraudulent charities and donation and aid websites, running contractor and government imposter schemes, offering fake mortgage relief initiatives, and contacting people through email, texts and other methods, targeting either victims of the flooding or people anxious to help.
A report released this week by BforeAI, which uses behavioral AI for its predictive cybersecurity offerings, put a spotlight on the speed and scope of the online scams that targeted the Texas flooding. Researchers with the vendor’s threat intelligence unit, PreCrime Labs, identified more than 70 suspicious or malicious domains that arose within 10 days of the start of the floods.
Of those, 13 were registered within a week, about the time that the floods began to gain national attention.
“Many of the domains analyzed as part of this advisory feature typical themes that leverage flood-related services, donation drives and legal fraud baits like fake flood insurance claims and lawsuits,” the researchers wrote, adding that they “also observed volunteer registration forms with PII-harvesting (personal identifiable information) risks and Google SEO or sponsored ad manipulation.”
‘Disaster Scams’ a Constant Threat
The fact that bad actors cropped up so quickly after the flood’s onset isn’t surprising. Such “disaster scams” are common, with government agencies and other organizations warning people about them and offering tips people can use to protect themselves, from not giving out personal or account information and researching charities before donating to verifying insurance offers and being wary of email links.
In the wake of the Texas floods, the FBI, Federal Trade Commission, the Securities and Exchange Commission and other federal and state agencies issued warnings about scammers, as did other organizations, such as financial services firms and nonprofit groups.
In its statement, the FBI’s San Antonio office noted that in 2024, the agency’s Internet Crime Complaint Center (IC3) received more than 4,500 complaints representing about $96 million in losses from fraudulent charities and disaster relief campaigns.
Common Themes in Fake Domains
According to the PreCrime Lab researchers, fewer than 10% of the suspicious domains were blocklisted on VirusTotal, online service that analyzes suspicious files and URLs, or other top threat feeds and most were hosted on free page builders like Cloudflare Pages, GoDaddy and Freenom.
There also were other common themes, including the reuse of subdomain-style phishing paths like “register,” “claim,” “donate,” and “volunteer,” and the cloning of legitimate release or news pages. In addition, WHOIS privacy – a service that hides personal information – was enabled on 94% of the domains, and some domains redirected people to Telegram or WhatsApp bot links.
In addition, there were infrastructure patterns that were linked to prior natural disaster scams. The researchers found that 46 of the suspicious domains had been updated since January, adding that it “indicates that even if a spike in registrations of scam domains isn’t seen again in 2025, it doesn’t mean that the threat has passed.” The infrastructure is already in place.
Pointing to a report in the Fort Worth Star-Telegram, they wrote that a blue-ribbon study found that between 1986 to 2000, Texas had 4,722 flash floods, and that it made “the risk of Texas residents being targeted in this way a frequent problem.”
Themed Merchandise, False Promises
The PreCrime Labs researchers also noted a few examples of what they found, including a “Texas Flood Today,” a blog-style webpage that “appears to have language-specific targeting unrelated to regional aid bodies.” It was hosted on unknown domains that were not associated with any official or media source.
There was a commercial website called “Pray for Texas” that offered various pieces of merchandise, including shirts promoting flood disaster relief, Pray for Texas apparel, and politically branded tote bags.
“A common theme that has been seen during disaster relief-based malicious campaigns is themed merchandise under the guise of solidarity and support,” they wrote. “Such websites use emotionally charged language and imagery (‘Pray for Texas,’ ‘Flood Support,’ ‘Tragedy Shirt’) to drive purchases with no visible or verifiable link to actual relief efforts or nonprofits.”
Another site used the images and logos of the NBA and players to push “Texas Strong” merchandise, promising that buying items would help flood relief efforts. The language suggested an official link with NBA Summer League players, but there was no proof to support the claim, the researchers wrote.
What Security Teams, Agencies Can Do
They recommended that security teams and security services providers implement automated blocking or sandboxing of newly registered domains that include crisis-related themes during such events as natural disasters, a move that could reduce the reach of phishing and malware delivery infrastructure that mimics government aid or relief organizations. They can also flag keywords like “relief” and “donate” and work with ICANN-accredited registrars and the domain abuse desk to accelerate the identification, verification and takedown of fraudulent domains.
Government and relief agencies can make sure that verified domains for aid, relief funds, and crisis communication are broadly shared and amplified in the media, social platforms, and emergency broadcasts as soon as possible after a disaster.
Also, dedicated online portals or hotlines could be set up to let the public report suspicious activities.
